Skip to main content
All CollectionsControl Tests
Test: Threat Detection
Test: Threat Detection

Drata inspects your company AWS configuration to determine if AWS GuardDuty is in place to detect unauthorized file additions.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago


This test is part of the Logging/Monitoring control that ensures your company has AWS GuardDuty in place, if using an AWS Infrastructure. AWS GuardDuty must be configured within the cloud environment to detect unauthorized file additions, server instances, and application containers.


If Drata detects an AWS Infrastructure but is unable to find AWS Guard Duty the test will fail. To remediate a failed test, you will need to set up and configure AWS Guard Duty to detect unauthorized file additions.


To ensure a validated state when testing for AWS GuardDuty, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology

Provider Steps

AWS - GuardDuty

Turn on Guard Duty in at least one region

  1. Go to the region

  2. Click on the "Get started" button

  3. Enable S3 Monitoring under Guard Duty > Protection Plans > S3 Protection > Enable

  4. Create an Event here (switch to your region as needed) by clicking Create rule

    1. Provide a Name and optional Description

    2. Event bus: default

    3. Toggle on "Enable the rule on the selected event bus"

    4. Rule type: rule with an event pattern

    5. Event Source: AWS events or EventBridge partner events

    6. Event pattern -> Event source: AWS services

    7. AWS service: GuardDuty

    8. Event type: GuardDuty Finding

    9. Target: This can be any valid target within the Event System, i.e. SNS

    10. Click 'Configure details'

    11. Click 'Create rule'


Did this answer your question?